Cannot access file mounted with Docker

Using Docker in Fedora 20, I tried to mount a directory. The mount worked correctly but I couldn’t access the file inside the docker container. I got permission denied when trying to read it, or change ownership of it using ‘root’ in the container.

docker run -i -t -v /path/to/volume:/opt rhel:6.5 bin/bash

The permissions show me it’s owned by user and group ID 1000:

#ls -la
drwxrwxr-x. 2 1000 1000 4096 Oct 6 21:46 opt

This is an SELinux permission problem. If you want to grant access to read the file from the Docker container, add this SELinux boolean on the host:

chcon -Rt svirt_sandbox_file_t /path/to/volume

Openshift version 3, what’s coming?

By far the biggest change coming in Openshift is the integration of Docker. Basically the cartridge will be replaced by a Docker container. This is great for application developers, who will have far more control over how they build and package their application for the cloud.

Docker was designed for Openshift. Openshift was already utilising Linux containers to run applications side by side in a multi-tenant way. Docker as introduced a well thought out API, and incremental storage strategy for Linux containers, which make them much easer for developers to use.

So it’s a happy marriage between Openshift and Docker. But how will it work under the covers. A recent presentation by Michal at the Openshift meet up in Brisbane shed some light on that. Keep in mind it’s still early days for Openshift version 3, it’s exciting times ahead. Here’s a preview of what it might look like.

GearD:

– Securely isolate containers
– quota restrictions
– user namespaces
– SELinux

– Makes containers isolated, and resilient to failure
– use SystemD to track, recover and limit processes
– failure of other containers should not effect other containers

– Make containers portable between hosts
– links, port mappings and environment vars
– easy to share amongst gears, and between hosts

– Make containers audible, constrained, and reliably logged
– leverage SystemD patterns for each of these

Docker-Source-Images, https://github.com/openshift/docker-source-to-images

– Similar to the current, binary deployment model
– Build source code, and deploy it, followed by a Docker commit

Support Cartridges using Centos

– To avoid licensing issues with using RHEL
eg: Ruby cart: https://github.com/openshift/ruby-19-centos

Stateless cartridges first, not sure about stateful cartridge implementation at this stage.

What this space!

Using Syntastic plugin for Vim

You can use Syntastic to check the syntax of various files including XML. I used it recently by following the installation guide here:

https://github.com/scrooloose/syntastic

After installing it, copy the XML, and DTD into the same directory and use “:SyntasticCheck” to do a check.

Docker Getting Started Notes

Install docker

docker.io/gettingstarted

I tried sudo docker run -i -t fedora /bin/bash I work for Red Hat :)

  • failed with:
  • Pulling repository fedora
    0d20aec6529d: Error pulling image (rawhide) from fedora, unexpected EOF

  • apparently not a fault tolerant connection
  • was successful with:
  • sudo docker pull fedora


Committing Changes

http://docs.docker.io/en/latest/use/basics/

  • Install a program into the container after running the shell:

    sudo docker run -i -t fedora /bin/bash
    yum -y install nc

  • Once you quit ‘nc’ is no longer installed
  • Persist your container to the local repository using:

    Get container id:

    sudo docker ps

    sudo docker commit fedora-nc

  • list images using

    sudo docker images

Bind a service on a TCP Port

http://docs.docker.io/en/latest/use/basics/

When running a job in docker the following network setup happens:

  • Allocated a network interface
  • Setup an IP for it, with network address translation

If you want to be able to call into the job via the network, you’ll have to publish a port to the host

JOB=$(sudo docker run -d -p 4444 fedora-nc /bin/nc -l 4444)

After that, you’ll need to use the ‘port’ command to see which public port is NATed to the container

PORT=$(sudo docker port $JOB 4444 | awk -F: '{ print $2 }')

Finally if you want to send a message to the container you can do so using the public port

hello world | nc 127.0.0.1 $PORT

Verify the network connection worked

echo "Daemon received: $(sudo docker logs $JOB)"